We've confirmed the problem. We're working on a patch.
In the meantime, everybody go meditate on the documentation for how to
report security issues.
--
"Bureaucrat Conrad, you are technically correct -- the best kind of correct."
I'm wondering if a multithreaded webserver setup would be more guarded
against this sort of thing?
This was indeed a security exploit, and it has been fixed. See
http://www.djangoproject.com/weblog/2009/oct/09/security/ for details.
Jacob
This bug has no effect on FreeBSD systems I've tested, so it looks like
it is OS specific.
FreeBSD 7.0, 7.1, 7.2 + python 2.5.4 work fine.
> $ time python -c "from django.forms.fields import email_re; email_re.match('viewx3dte...@yahoo.comx26latlngx3d15854521645943074058'); import django; print django.VERSION"
(1, 1, 0, 'final', 0)
real 0m0.086s
user 0m0.055s
sys 0m0.029s
Linux 2.6.27 + python 2.5.4 fails.
> $ time python -c "from django.forms.fields import email_re; email_re.match('viewx3dte...@yahoo.comx26latlngx3d15854521645943074058'); import django; print django.VERSION"
^CTraceback (most recent call last):
File "<string>", line 1, in <module>
KeyboardInterrupt
real 0m21.317s
user 0m21.173s
sys 0m0.044s
Cheers
Tom